Complete the Shopping Cart Admin Tool for Your PHP Online Store | 2

Complete the Shopping Cart Admin Tool for Your PHP Online Store [con't]

The Final Two Scripts for the Shopping Cart

In the previous section, we looked at the main/change.php script. In this section, we will examine the two remaining scripts for shopping cart administration, which respectively enable the administrator to insert a new book and remove an existing book. Here's a screenshot of the form for adding a new book:

Add a New Book

Let's jump right into the code.

<?php
include "../connect.php";
$isfile=false;
$err=false;
$errmsg=false;
if(isset($_POST['submit'])){
//clean/escape variables
//the date has not been processed here
$author=mysql_escape_string($_POST['auth_name']);
$pubaddress=mysql_escape_string($_POST['pub_address']);
$pubname=mysql_escape_string($_POST['pub_name']);
$gID=mysql_escape_string($_POST['genID']);
$b_title=mysql_escape_string($_POST['title']);
$b_price=mysql_escape_string($_POST['price']);
$b_isbn=mysql_escape_string($_POST['isbn']);
//check if you need to upload..
if($_FILES['userfile']['name']) {
//there's a file...
$isfile=true;
}
//insert author
$auth="INSERT INTO author SET auth_name='".$author."'";
$result_auth=mysql_query($auth);
if($result_auth){
$authid=mysql_insert_id();
}else{
$err=true;
$errmsg="auth ".mysql_error();
}
//insert publisher
$pub="INSERT INTO publisher SET pub_name='".$pubname."',pub_address='".$pubaddress."'";
$result_pub=mysql_query($pub);
if($result_pub){
$pubID=mysql_insert_id();
}else{
$err=true;
$errmsg="pub " .mysql_error();
}
if(!$err){
//insert book after getting the new IDs of the above categories
$books="INSERT INTO books SET authID='".$authid."',pubID='".$pubID."',";
$books .="title='".$b_title."',price='".$b_price."',date_of_pub='".$td."',";
$books .="genID='".$gID."',book_img='empty',ISBN='".$b_isbn."'";
$result_books=mysql_query($books);
if($result_books){
$new_id=mysql_insert_id();
$isfile =true;
$msg = "Details for new book have been entered in the database.";
}else{
$msg =mysql_error();
$isfile = false;
}
}//if
//insert upload file now
if($isfile){
$uploadpath = "uploads/";
$filename=$_FILES['userfile']['name'];
$cleanfile=mysql_escape_string($_FILES['userfile']['name']);
  if(move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadpath . $cleanfile)) {
//update table
$query_upl = "UPDATE books SET book_img = '" . trim(addslashes($cleanfile)) . "' WHERE book_id = '".$new_id."'";
mysql_query($query_upl);
$msg .="File uploaded and saved";
}
}
}//submit
?>
<html>
<head>
  <title></title>
</head>
<body>
 <table width="100%" border="0">
  <tr>
    <td colspan="2"><h1>Pleasure Reading Inc. - Add New Book </h1></td>
  </tr>
  <?php if(!isset($msg) OR ($err)){ ?>
 <form enctype="multipart/form-data" action="newbook.php" method="post">
    <tr>
    <td valign="top" bgcolor="#ECE9D8" colspan="2"><strong>General Information:</strong></td>
  </tr>
  <tr>
    <td width="16%"><strong>Title:</strong></td>
    <td width="84%"><label>
      <input name="title" type="text" size="40" />
    </label></td>
  </tr>
  <tr>
    <td valign="top"><strong>Price:</strong></td>
    <td><label>
      <input name="price" type="text" size="40" />
    </label></td>
  </tr>
  <tr>
    <td><strong>ISBN:</strong></td>
    <td><label>
      <input name="isbn" type="text" size="40" />
    </label></td>
  </tr>
  <tr>
    <td><strong>Date of Publication:</strong></td>
    <td><label>
      <input name="dop" type="text" size="40" />
    </label></td>
  </tr>
  <tr>
    <td valign="top"><strong>Book Image</strong></td>
    <td><label>
      <input name="userfile" type="file"/>
    </label></td>
  </tr>
  <br>
  <tr>
    <td valign="top" colspan="2" bgcolor="#ECE9D8"><strong>Genre Information:</strong></td>
     </tr>
   <tr>
    <td><strong>Genre:</strong></td>
    <td><label>
      <select name="genID">
      <?php $getgen = "SELECT * FROM genres ";
      $result=mysql_query($getgen);
      if($result){
      while($row=mysql_fetch_assoc($result)){
      echo '<option value='.$row['gen_id'].' >'.$row['gen_name'].'</option>';
     }
     }else{
     echo mysql_error();
             }
     ?>
    </select>
    </label></td>
  </tr>
 <tr>
    <td valign="top" colspan="2" bgcolor="#ECE9D8"><strong>Publisher Information:</strong></td>
    </tr>
    <tr>
    <td width="16%"><strong>Name:</strong></td>
    <td width="84%"><label>
      <input name="pub_name" type="text" size="40" />
    </label></td>
  </tr>
  <tr>
    <td valign="top"><strong>Address:</strong></td>
    <td><label>
      <textarea name="pub_address"></textarea>
    </label></td>
  </tr>
 <tr>
    <td valign="top" colspan="2" bgcolor="#ECE9D8"><strong>Author Information:</strong></td>
      </tr>
    <tr>
    <td width="16%"><strong>Name:</strong></td>
    <td width="84%"><label>
      <input name="auth_name" type="text" size="40" />
    </label></td>
  </tr>
  <tr>
    <td><label>
      <input type="submit" name="submit" value="Add New Book" />
    </label></td>
  </tr>
 </form>
 <?php }else{
 ?>
 <tr>
 <td>
 <p>
 <?php echo $msg;?>
 </p>
 </td>
 </tr>
  <?php } ?>
 </table>
</body>
</html>

The first part of the code initializes the following variables:

$err - Boolean variable that is set to true when an error occurs
$$errmsg - Variable that stores the error message
$$isfile - Boolean variable that is set to true if a file is present

All of them are used at different times throughout the script. Usually, you don't need to initialize variables, but in some environments you get a warning stating that the variable was not defined. So, I'm just trying to cover all the bases by initializing them.

Now, the overall purpose of this script is to enable the administrator to insert a new book. So, after the form has been submitted, we put the form variables through the usual filter process:

Next, we check if there is a file to be uploaded and set the $isfile variable to true or false depending:

The next two pieces of code insert information into the publisher and author tables and store the last inserted record number using the mysql_insert_id() function to capture the ID:

Note the use of the $err and $errmsg variables. Though this is a good way to handle error messages, it is advisable to use an error-logging class or the PHP logs themselves to write errors to, when not in development. PHP error messages are notorious for leaking sensitive information. Sometimes you can't prevent that, because it might be the way your web host set up PHP on their servers. Most people these days make sure that they configure their PHP settings correctly to avoid this kind of security vulnerability.

When all the newly inserted record IDs are safely stored in variables, the code then goes on to insert the new book details into the books table, including the IDs mentioned above:

The script needs the newly inserted record ID, because it will use it in the upload code to match the newly uploaded file to the right record in the books table:

Next is the code that actually uploads the file. An upload path is defined and the directory in this case is uploads. Make sure that the folder has all the necessary permissions before trying to upload a file.

The next part transfers the uploaded file name into a variable called $filename, then the variable is "cleaned" with the mysql_real_escape_string() function:

Next, the file is moved to its final destination and the books table is updated accordingly. If the update is successful, then a "File uploaded and saved" message is sent later:

The actual HTML basically displays a form that has fields that match each table in the database, look at the red text:

<table width="100%" border="0">
  <tr>
    <td colspan="2"><h1>Pleasure Reading Inc. - Add New Book </h1></td>
  </tr>
  <?php if(!isset($msg) OR ($err)){ ?>
 <form enctype="multipart/form-data" action="newbook.php" method="post">
    <tr>
    <span style="color: 'red'"><td valign="top" bgcolor="#ECE9D8" colspan="2"><strong>General Information:</strong></td></span>
  </tr>
  <tr>
    <td width="16%"><strong>Title:</strong></td>
    <td width="84%"><label>
      <input name="title" type="text" size="40" />
    </label></td>
  </tr>
  <tr>
    <td valign="top"><strong>Price:</strong></td>
    <td><label>
      <input name="price" type="text" size="40" />
    </label></td>
  </tr>
  <tr>
    <td><strong>ISBN:</strong></td>
    <td><label>
      <input name="isbn" type="text" size="40" />
    </label></td>
  </tr>
  <tr>
    <td><strong>Date of Publication:</strong></td>
    <td><label>
      <input name="dop" type="text" size="40" />
    </label></td>
  </tr>
  <tr>
    <td valign="top"><strong>Book Image</strong></td>
    <td><label>
      <input name="userfile" type="file"/>
    </label></td>
  </tr>
  <br>
  <tr>
    <span style="color: 'red'"><td valign="top" colspan="2" bgcolor="#ECE9D8"><strong>Genre Information:</strong></td></span>
     </tr>
   <tr>
    <td><strong>Genre:</strong></td>
    <td><label>
      <select name="genID">
      <?php $getgen = "SELECT * FROM genres ";
      $result=mysql_query($getgen);
      if($result){
      while($row=mysql_fetch_assoc($result)){
      echo '<option value='.$row['gen_id'].' >'.$row['gen_name'].'</option>';
     }
     }else{
     echo mysql_error();
             }
     ?>
    </select>
    </label></td>
  </tr>
 <tr>
    <span style="color: 'red'"><td valign="top" colspan="2" bgcolor="#ECE9D8"><strong>Publisher Information:</strong></td></span>
    </tr>
    <tr>
    <td width="16%"><strong>Name:</strong></td>
    <td width="84%"><label>
      <input name="pub_name" type="text" size="40" />
    </label></td>
  </tr>
  <tr>
    <td valign="top"><strong>Address:</strong></td>
    <td><label>
      <textarea name="pub_address"></textarea>
    </label></td>
  </tr>
 <tr>
    <span style="color: 'red'"><td valign="top" colspan="2" bgcolor="#ECE9D8"><strong>Author Information:</strong></td></span>
      </tr>
    <tr>
    <td width="16%"><strong>Name:</strong></td>
    <td width="84%"><label>
      <input name="auth_name" type="text" size="40" />
    </label></td>
  </tr>
  <tr>
    <td><label>
      <input type="submit" name="submit" value="Add New Book" />
    </label></td>
  </tr>
 </form>
 <?php }else{
 ?>
 <tr>
 <td>
 <p>
 <?php echo $msg;?>
 </p>
 </td>
 </tr>
  <?php } ?>
 </table>

Next comes the delete.php script:

The delete script is responsible for removing books from the database. It receives a bookid variable, which we put through the filtering process to validate and clean.

After that, the query to remove the book is run:

Then we redirect the user to the booklist page or an error page depending on whether the query was successful:

Original: March 26, 2010

[prev]

Complete the Shopping Cart Admin Tool for Your PHP Online Store | 2

Complete the Shopping Cart Admin Tool for Your PHP Online Store [con't]

The Final Two Scripts for the Shopping Cart

Find a programming school near you